Thousands of Companies Now Reported to Be Giving Up Your Data — But Are They Being Forced to Do It by Law?

154

Shares

Email this story to a friend

It has long been known that communication companies and others comply with government and law enforcement requests for data about users, when sought through the proper legal channels. But the revelation little more than a week ago that Verizon had been dishing up what seemed to be an indiscriminate amount of phone record data to the NSA, sparked a renewed interest in who gives up your data — and why.

A TV screen shows a news report with the logo of Verizon at a shopping mall in Hong Kong Wednesday, June 12, 2013. The American Civil Liberties Union sued the Obama administration Tuesday, asking the government to halt a phone-tracking program that collects the telephone records of millions of Americans, and that it says is unconstitutional. Last week, Britain’s Guardian newspaper reported the secret Foreign Intelligence Surveillance Court on April 25 issued an order granting the NSA permission to collect telephone records of millions of Verizon customers. The order was good until July 19, the newspaper said. (Photo: AP/Kin Cheung)

Here’s what Bloomberg reported about companies willingness to work with the government:

Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.

In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.

The extensive cooperation between commercial companies and intelligence agencies is legal and reaches deeply into many aspects of everyday life, though little of it is scrutinized by more than a small number of lawyers, company leaders and spies. Company executives are motivated by a desire to help the national defense as well as to help their own companies, said the people, who are familiar with the agreements.

Most of the arrangements are so sensitive that only a handful of people in a company know of them, and they are sometimes brokered directly between chief executive officers and the heads of the U.S.’s major spy agencies, the people familiar with those programs said.

In recent years, lawmakers concerned about cybersecurity have been trying to develop and pass legislation that would encourage further information sharing between private companies and the government. The controversial Cyber Intelligence Sharing and Protection Act (CISPA), for example, which was passed in the House earlier this year, is intended to help the government and private companies swap data to better protect systems against hackers and malicious software. Privacy advocates worry though that this information sharing could extend to personal information of customers.

U.S. Army Gen. Keith Alexander, commander of the U.S. Cyber Command, director of the National Security Agency (NSA) arrives at a Senate Appropriations Committee hearing on Capitol Hill, June 11, 2013 in Washington, DC. The committee is hearing testimony on Cybersecurity from Gen. Keith Alexander and other government officials. (Photo: Mark Wilson/Getty Images)

The White House has threatened twice to veto CISPA because “citizens have a right to know that corporations will be held accountable – and not granted immunity – for failing to safeguard personal information adequately.” The Obama administration, on the other hand, has also said it is discussing incentives for companies that would cooperate with information sharing as it pertains to cyberthreats.

But ultimately, do companies want to divulge your information?

Elad Yoran, CEO of the cloud security firm Vaultive and a member of the FBI’s IT advisory council and a DHS advisory board, told TheBlaze in an interview this week that cloud providers, which are increasingly used to store a vast amount of user information these days, don’t necessarily want to share data.

“They aren’t turning data over because they want to. They’re turning it over because they have to,” by law, Yoran said.

Ben Levitan, a wireless telecommunications expert in the industry for more than three decades and who was involved discussions about early wiretapping laws as they pertained to cellphones, echoed this sentiment.

When in discussions about the Communications Assistance for Law Enforcement Act (CALEA), which was passed in 1994, Levitan said the industry fought back, however unsuccessfully, against some of the wiretap compliance requirements made by the government because adding the new features to the system to allow wiretapping and having people to maintain it placed a burden on them.

As for collection of metadata — which Levitan said is also called “call detail records” and is what the NSA was found to have been analyzing — this information is collected by the phone company anyway for billing purposes and troubleshooting. But meeting law enforcement requests — small and large — still requires time and sometimes infrastructure, Levitan pointed out.

Bloomberg in its recent report also noted that major internet companies asked and received a letter from the U.S. attorney general ensuring they wouldn’t be held liable for any cases brought against them regarding wiretap laws. Bloomberg reported a person familiar with the letter saying that the system didn’t technically meet the definition of wiretapping but immunity was granted anyway.

Senate Appropriations Committee member Sen. Jeff Merkley, D-Ore. holds up his Verizon cell phone as he asks a question of Gen. Keith B. Alexander, director of the National Security Agency, during the committee’s hearing on cybersecurity and funding, Wednesday, June 12, 2013, on Capitol Hill in Washington. Sen. Tom Udall, D-N.M. , watches at right. It is the first public appearance by an NSA official since revelations that the electronic surveillance agency is sweeping up Americans’ phone and Internet records in its quest to investigate terrorist threats. (Photo: AP/J. Scott Applewhite)

In addition to costing phone companies time and money to meet these requests, it also gets customers concerned about their privacy rights riled up. Some companies have taken steps to be as transparent as possible about how they handles government requests for data, in an effort to mitigate these concerns held by some users.

Google has been publishing a transparency report to be as straight forward as possible with its users about how many of the requests it complies with on a biannual basis. Even more so, the tech giant recently petitioned the Obama administration to allow it to disclose even more details about the U.S. government’s demands for email and other personal information transmitted online as part of the company’s effort to distance itself from media reports saying it was directly passing user information to the NSA.

Google insists it hasn’t been handing over user data on a broad scale, something the company believes it can prove if it receives clearance to disclose the number of requests that have been submitted under the Foreign Intelligence Surveillance Act, or FISA.

Federal law currently prohibits recipients of FISA requests from revealing information about them.

“Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made,” David Drummond, Google’s chief legal officer, wrote to Holder and Mueller. “Google has nothing to hide.”

The reports surfaced last week after a government contractor leaked confidential documents revealing the NSA has been tapping into the computers of Google Inc. and many other Internet services to retrieve information about foreigners living outside the U.S. The other companies linked to PRISM are: Microsoft, Facebook, Yahoo Inc., Apple Inc., AOL Inc., Paltalk, Google’s YouTube and Microsoft’s Skype.

All the companies and services have denied giving the U.S. government unfettered access to user data. The companies say they only turn over user data under legally binding orders, and try to regularly resist orders considered to be too broad.

Minimizing the appearance of their involvement in PRISM is important to the technology companies. The companies don’t want Web surfers to become paranoid about sharing personal information on their services or, worse yet, avoiding their websites altogether.